SECURITY AND PRIVACY
•Data and information are everywhere
•Attacks becoming more widespread
•Both “hacking” and social engineering
–“Fill out this credit card application and we’ll give you a free t-shirt!”
–Take this Facebook quiz to find out which HIMYM character you’re most like – just click “accept”!
–Click jacking, like-farming,
IT Security
•Goal: To prevent and detect unauthorized actions by users and nonusers of systems
•How is it achieved?
–Security principles / concepts
•Guide information system design and development
–Security mechanisms
•Secure existing information systems
–Physical and organizational security
•Polices help ensure security
IT Security
Three main components of computer and information security:
–Confidentiality: Prevent unauthorized disclosure
•Privacy, secrecy
•Secure HTTP (HTTPS); PGP; SSH; IPSec
–Integrity: Prevent unauthorized modification
•Access control
–Availability: Prevent unauthorized withholding
•Uptime, 24/7, DDoS prevention
IT Security
Other factors
–Accountability
•Audits, access control, logging
–Reliability - how reliable is it?
–Dependability
–Survivability, disaster recovery -unexpected shutdowns, power outages, etc.
Security is a balance
–Policies can interfere with work practices
–Security requires additional IT, financial resources
–Security should be at the forefront
–Ideally, a trade-off
Asking the Right Questions
•Should protection focus on data, operations, or users?
•At what level(s) or layer(s) should we place security?
•Should security control tasks be given to a central entity (i.e. the IT dept.), or left to individual people or departments?
•Who controls security policy?
Hardware Security
•Hardware more visible to criminals
•Easy to add, remove, change, control hardware
•Can intercept, flood network traffic
•Physical security
Software Security
Interruption or deletion: surprisingly easy!
Modification:
–Logic bomb: failure when certain conditions met
–Buffer overflow: disguise code as data, then get it to run
–Viruses: malicious code that spreads itself by attaching to programs
–Worm: self-reproducing code, not attached to programs
–Spyware: “annoying” code that you accidentally install, slows down or disrupts your computer with ads, phishing, etc.
–Trapdoor / security hole: specific entry point that can be hacked
Interception or theft: unauthorized copying(different from torrents)
Information Security
Social engineering
–Manipulation of people through social factors to perform actions or divulge confidential information, compromising IT security
–Phishing, impersonation, war-driving
Encryption
–Encoding information such that only those with a given “key” can decode it
–PGP, PKI, VPNs
Internet Security: VPNs
Virtual Private Network
–Allows for private communications over public networks (such as the Internet)
–Secured through authentication, encryption, and tunneling protocols
•Tunneling protects traffic from being read by others
•The tunnel is what gives VPNs their “virtuality”
•IPSec (IP Security), SSL, and other protocols
Protecting Security
Basics: Firewall, anti-virus, anti-spyware, patches, strong passwords, backups
–Password guidelines vary, but commonly include:
•At least 12-14 characters
•Randomly generated, if feasible
•Avoid dictionary words, names, ID numbers, etc.
•Use mixed case, symbols, numbers
•Don’t use the same password for everything!
•Change it often
Protecting Security
Protecting Security
Risk Assessment
–Identify business assets of relevance
–Identify risks to security and privacy
–Identify impacts to the business
–Associate risks, assets, and impacts
–Recommend actions that can be taken
–
FSU Information Technology Services on
WEP - Wired Equivalence Privacy: 40 or 104-bit encryption, outdated, easy to hack.
WPA - Wi-Fi Protected Access: 128 or 256-bit encryption, more secure. Best option: WPA2 - AES, 256-bit encryption.
VPNs
VPNs - Virtual Private Networks: Allows for private communication over public networks or the Internet. Secured by ecryption and tunneling. Tunneling is what allows VPNs to exist, protects traffic from being read by other users.
Benefits of a VPN include extended connection through multiple geographic areas, without needing a physical line. It also is improved security and flexibility for organizations.
PASSWORDS
Strong Passwords -A passwords that is difficult to detect by both humans and computer programs. Consists of at least six characters that are a combination of letters, numbers and symbols, and is case-sensitive. Passwords should be different! Do not use the same password for everything.
SECURITY AND PRIVACY•Data and information are everywhere
•Attacks becoming more widespread
•Both “hacking” and social engineering
–“Fill out this credit card application and we’ll give you a free t-shirt!”
–Take this Facebook quiz to find out which HIMYM character you’re most like – just click “accept”!
–Click jacking, like-farming,
IT Security
•Goal: To prevent and detect unauthorized actions by users and nonusers of systems
•How is it achieved?
–Security principles / concepts
•Guide information system design and development
–Security mechanisms
•Secure existing information systems
–Physical and organizational security
•Polices help ensure security
IT Security
Three main components of computer and information security:
–Confidentiality: Prevent unauthorized disclosure
•Privacy, secrecy
•Secure HTTP (HTTPS); PGP; SSH; IPSec
–Integrity: Prevent unauthorized modification
•Access control
–Availability: Prevent unauthorized withholding
•Uptime, 24/7, DDoS prevention
IT Security
Other factors
–Accountability
•Audits, access control, logging
–Reliability - how reliable is it?
–Dependability
–Survivability, disaster recovery -unexpected shutdowns, power outages, etc.
Security is a balance
–Policies can interfere with work practices
–Security requires additional IT, financial resources
–Security should be at the forefront
–Ideally, a trade-off
Asking the Right Questions
•Should protection focus on data, operations, or users?
•At what level(s) or layer(s) should we place security?
•Should security control tasks be given to a central entity (i.e. the IT dept.), or left to individual people or departments?
•Who controls security policy?
Hardware Security
•Hardware more visible to criminals
•Easy to add, remove, change, control hardware
•Can intercept, flood network traffic
•Physical security
Software Security
Interruption or deletion: surprisingly easy!
Modification:
–Logic bomb: failure when certain conditions met
–Buffer overflow: disguise code as data, then get it to run
–Viruses: malicious code that spreads itself by attaching to programs
–Worm: self-reproducing code, not attached to programs
–Spyware: “annoying” code that you accidentally install, slows down or disrupts your computer with ads, phishing, etc.
–Trapdoor / security hole: specific entry point that can be hacked
Interception or theft: unauthorized copying(different from torrents)
Information Security
Social engineering
–Manipulation of people through social factors to perform actions or divulge confidential information, compromising IT security
–Phishing, impersonation, war-driving
Encryption
–Encoding information such that only those with a given “key” can decode it
–PGP, PKI, VPNs
Internet Security: VPNs
Virtual Private Network
–Allows for private communications over public networks (such as the Internet)
–Secured through authentication, encryption, and tunneling protocols
•Tunneling protects traffic from being read by others
•The tunnel is what gives VPNs their “virtuality”
•IPSec (IP Security), SSL, and other protocols
Protecting Security
Basics: Firewall, anti-virus, anti-spyware, patches, strong passwords, backups
–Password guidelines vary, but commonly include:
•At least 12-14 characters
•Randomly generated, if feasible
•Avoid dictionary words, names, ID numbers, etc.
•Use mixed case, symbols, numbers
•Don’t use the same password for everything!
•Change it often
Protecting Security
Protecting Security
Risk Assessment
–Identify business assets of relevance
–Identify risks to security and privacy
–Identify impacts to the business
–Associate risks, assets, and impacts
–Recommend actions that can be taken
–
FSU Information Technology Services on
IT Security at FSU
Security: More Information
Security news sources
–Sophos’s Naked Security blog
–SANS Internet Storm Center
CERT: Computer Emergency Response / Readiness Team
–http://www.cert.org
–http://www.us-cert.gov/
Certified Information Systems Security Professional (CISSP)
–https://www.isc2.org/cissp/default.aspx
LIS 4774 Information Security
–Offered fall semesters with Dr. Shuyuan Mary Ho
Types of WiFi Security
WEP - Wired Equivalence Privacy: 40 or 104-bit encryption, outdated, easy to hack.
WPA - Wi-Fi Protected Access: 128 or 256-bit encryption, more secure. Best option: WPA2 - AES, 256-bit encryption.
VPNs
VPNs - Virtual Private Networks: Allows for private communication over public networks or the Internet. Secured by ecryption and tunneling. Tunneling is what allows VPNs to exist, protects traffic from being read by other users.
Benefits of a VPN include extended connection through multiple geographic areas, without needing a physical line. It also is improved security and flexibility for organizations.
PASSWORDS
Strong Passwords -A passwords that is difficult to detect by both humans and computer programs. Consists of at least six characters that are a combination of letters, numbers and symbols, and is case-sensitive.
Passwords should be different! Do not use the same password for everything.
Love the copy & paste.